Table of Contents
Advertisement
arp detection rule
Use arp detection rule to configure a user validity check rule.
Use undo arp detection rule to delete a user validity check rule.
Syntax
arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address
[ mask ] | any } [ vlan vlan-id ]
undo arp detection rule [ rule-id ]
Default
No user validity check rule is configured.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Assigns an ID to the user validity check rule. The ID value range is 0 to 511. A smaller value
represents a higher priority.
deny: Denies matching ARP packets.
permit: Permits matching ARP packets.
ip { ip-address [ mask ] | any }: Specifies the sender IP address as the match criterion.
•
ip-address: Specifies an IP address in dotted decimal notation.
•
mask: Specifies the address mask in dotted decimal notation. If you do not specify the mask,
the ip-address argument specifies a host IP address.
•
any: Matches any IP address.
mac { mac-address [ mask ] | any }: Specifies the sender MAC address as the match criterion.
•
mac-address: Specifies a MAC address in the H-H-H format.
•
mask: Specifies the MAC address mask in the H-H-H format. If you do not specify the mask, the
argument specifies the host MAC address.
•
any: Matches any MAC address.
vlan vlan-id: Specifies the ID of a VLAN in the specified rule. The value range for the vlan-id
argument is 1 to 4094. If you do not specify a VLAN, the packets' VLAN information is not checked.
Usage guidelines
A user validity check rule takes effect only when ARP attack detection is enabled.
If you do not specify a rule ID, the undo arp detection rule command deletes all user validity check
rules.
Examples
# Configure a user validity check rule and enable ARP detection for VLAN 2.
<Sysname> system-view
[Sysname] arp detection rule 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0405
ffff-ffff-0000
[Sysname] vlan 2
630
Advertisement
Table of Contents
